From 3fa32f88b4702cec41b8c3fb1e1a4c57042872f0 Mon Sep 17 00:00:00 2001
From: Tom Cobb <tom.cobb@diamond.ac.uk>
Date: Mon, 18 Dec 2023 10:30:51 +0000
Subject: [PATCH] Add trusted publishing

---
 .github/workflows/code.yml | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index c0fd956d..3fcb400b 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -41,12 +41,12 @@ jobs:
       matrix:
         os: ["ubuntu-latest"] # can add windows-latest, macos-latest
         python: ["3.9", "3.10", "3.11"]
-        install: ["-e .[dev,service,plotting]"]
+        install: ["-e .[dev]"]
         # Make one version be non-editable to test both paths of version code
         include:
           - os: "ubuntu-latest"
             python: "3.8"
-            install: ".[dev,service,plotting]"
+            install: ".[dev]"
 
     runs-on: ${{ matrix.os }}
     env:
@@ -177,11 +177,9 @@ jobs:
 
   release:
     # upload to PyPI and make a release on every tag
-    needs: [lint, dist, test]
-    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
+    needs: [dist]
+    if: github.ref_type == 'tag'
     runs-on: ubuntu-latest
-    env:
-      HAS_PYPI_TOKEN: ${{ secrets.PYPI_TOKEN != '' }}
 
     steps:
       - uses: actions/download-artifact@v3
@@ -203,8 +201,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  pypi:          
+    needs: [dist]
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+    permissions:
+      # this permission is mandatory for trusted publishing To PyPI
+      id-token: write
+    # Specify the GitHub Environment to publish to
+    environment: release
+
+    steps:
+      - uses: actions/download-artifact@v3    
       - name: Publish to PyPI
-        if: ${{ env.HAS_PYPI_TOKEN }}
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_TOKEN }}